I'm trying to upgrade my hardened 2.6.34 to 2.6.37 on a server with an ~am64 hardened no-multilib profile. System boots fine, I'm just unable to load any module. Reproducible: Always Steps to Reproduce: 1. boot hardened 2.6.37 (with/without any grsec/pax features enabled - would not matter) 2. modprobe <any module> Actual Results: modprobe and insmod return "Invalid module format", dmesg shows errors about "overflow in relocation type 11": kernel: overflow in relocation type 11 val ffffc9000000c080 kernel: `scsi_wait_scan' likely not compiled with -mcmodel=kernel Expected Results: Module being loaded into kernel space I tried gcc 4.4.5 and 4.5.2, gentoo-sources 2.6.37 and hardened-sources 2.6.37 r2/r3. With all additional features disabled and with features as in the previous 2.6.34 kernel aswell. I've found other reports with this messages on google, but they're dating 2009, 2.6.32 and are related to percpu changes in the kernel (not grsec patches!) # ld -v GNU ld (GNU Binutils) 2.21 # gcc -v Using built-in specs. COLLECT_GCC=/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.2/gcc COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/4.5.2/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: /var/tmp/paludis/sys-devel-gcc-4.5.2/work/gcc-4.5.2/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.2 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.2/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.2 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.2/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.2/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.5.2/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --disable-fixed-point --without-ppl --without-cloog --disable-lto --enable-nls --without-included-gettext --with-system-zlib --disable-werror --enable-secureplt --disable-multilib --enable-libmudflap --disable-libssp --enable-esp --enable-libgomp --enable-cld --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/4.5.2/python --enable-checking=release --disable-libgcj --enable-languages=c,c++ --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=http://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 4.5.2 p1.1, pie-0.4.5' Thread model: posix gcc version 4.5.2 (Gentoo Hardened 4.5.2 p1.1, pie-0.4.5) # cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 15 model name : Intel(R) Xeon(R) CPU 3050 @ 2.13GHz # cat /usr/src/diff --- linux-2.6.37-gentoo/.config 2011-02-22 19:59:12.000000000 +0100 +++ linux-2.6.37-hardened-r3/.config 2011-02-23 10:56:19.000000000 +0100 -# Linux/x86 2.6.37-gentoo Kernel Configuration -# Tue Feb 22 19:59:12 2011 +# Linux/x86 2.6.37-hardened-r3 Kernel Configuration +# Wed Feb 23 10:56:19 2011 +CONFIG_X86_ALIGNMENT_16=y -CONFIG_COMPAT_VDSO=y +# CONFIG_COMPAT_VDSO is not set -# CONFIG_ECONET is not set -CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_PAGE_MONITOR is not set + +# +# Grsecurity +# +# CONFIG_GRKERNSEC is not set + +# +# PaX +# +CONFIG_TASK_SIZE_MAX_SHIFT=47 +# CONFIG_PAX is not set + +# +# Miscellaneous hardening features +# +# CONFIG_PAX_MEMORY_SANITIZE is not set +# CONFIG_PAX_MEMORY_UDEREF is not set gcc use flags: -* hardened mudflap nls nptl openmp The machine is a Dell PowerEdge 860.
Interesting though, the genkernel initrd is able to load the iscsi/scsi modules, but I can't from within the regular system. Another note: I'm still experimenting with kernel settings and will report if I can narrow the problem down more than that. I seem to have found a configuration that doesn't show these symptoms
diff non-working to working: # diff ../config-2.6.37-hardened-r3_ALT .config -ur | grep -e "^[+-]" | grep -v "^.#" --- ../config-2.6.37-hardened-r3_ALT 2011-02-22 20:51:17.000000000 +0100 +++ .config 2011-02-23 11:12:54.000000000 +0100 +CONFIG_AUDIT=y +CONFIG_AUDITSYSCALL=y +CONFIG_AUDIT_WATCH=y +CONFIG_AUDIT_TREE=y +CONFIG_SPARSE_IRQ=y +CONFIG_CGROUPS=y +CONFIG_CGROUP_NS=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CPUSETS=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_RESOURCE_COUNTERS=y +CONFIG_CGROUP_MEM_RES_CTLR=y +CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y +CONFIG_CGROUP_MEM_RES_CTLR_SWAP_ENABLED=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_BLK_CGROUP=y +CONFIG_UTS_NS=y +CONFIG_IPC_NS=y +CONFIG_PID_NS=y +CONFIG_NET_NS=y +CONFIG_MM_OWNER=y -CONFIG_MODVERSIONS=y -CONFIG_MODULE_SRCVERSION_ALL=y +CONFIG_MODULE_UNLOAD=y +CONFIG_FREEZER=y +CONFIG_X86_EXTENDED_PLATFORM=y -CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_INTERNODE_CACHE_SHIFT=7 -CONFIG_SCHED_SMT=y +CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y +CONFIG_NUMA=y +CONFIG_X86_64_ACPI_NUMA=y +CONFIG_NODES_SPAN_OTHER_NODES=y +CONFIG_NODES_SHIFT=6 +CONFIG_NEED_MULTIPLE_NODES=y +CONFIG_MIGRATION=y +CONFIG_RELOCATABLE=y +CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID=y +CONFIG_USE_PERCPU_NUMA_NODE_ID=y +CONFIG_ACPI_NUMA=y +CONFIG_INTEL_IDLE=y +CONFIG_I7300_IDLE_IOAT_CHANNEL=y +CONFIG_I7300_IDLE=m -CONFIG_GRKERNSEC=y -CONFIG_GRKERNSEC_CUSTOM=y - -CONFIG_GRKERNSEC_KMEM=y -CONFIG_GRKERNSEC_IO=y -CONFIG_GRKERNSEC_PROC_MEMMAP=y -CONFIG_GRKERNSEC_BRUTE=y -CONFIG_GRKERNSEC_MODHARDEN=y -CONFIG_GRKERNSEC_HIDESYM=y - -CONFIG_GRKERNSEC_ACL_HIDEKERN=y -CONFIG_GRKERNSEC_ACL_MAXTRIES=3 -CONFIG_GRKERNSEC_ACL_TIMEOUT=30 - -CONFIG_GRKERNSEC_PROC=y -CONFIG_GRKERNSEC_PROC_USERGROUP=y -CONFIG_GRKERNSEC_PROC_GID=10 -CONFIG_GRKERNSEC_LINK=y -CONFIG_GRKERNSEC_FIFO=y -CONFIG_GRKERNSEC_ROFS=y -CONFIG_GRKERNSEC_CHROOT=y -CONFIG_GRKERNSEC_CHROOT_MOUNT=y -CONFIG_GRKERNSEC_CHROOT_DOUBLE=y -CONFIG_GRKERNSEC_CHROOT_PIVOT=y -CONFIG_GRKERNSEC_CHROOT_CHDIR=y -CONFIG_GRKERNSEC_CHROOT_CHMOD=y -CONFIG_GRKERNSEC_CHROOT_FCHDIR=y -CONFIG_GRKERNSEC_CHROOT_MKNOD=y -CONFIG_GRKERNSEC_CHROOT_SHMAT=y -CONFIG_GRKERNSEC_CHROOT_UNIX=y -CONFIG_GRKERNSEC_CHROOT_FINDTASK=y -CONFIG_GRKERNSEC_CHROOT_NICE=y -CONFIG_GRKERNSEC_CHROOT_SYSCTL=y -CONFIG_GRKERNSEC_CHROOT_CAPS=y - -CONFIG_GRKERNSEC_FORKFAIL=y -CONFIG_GRKERNSEC_PROC_IPADDR=y - -CONFIG_GRKERNSEC_DMESG=y -CONFIG_GRKERNSEC_HARDEN_PTRACE=y - -CONFIG_GRKERNSEC_RANDNET=y - -CONFIG_GRKERNSEC_SYSCTL=y -CONFIG_GRKERNSEC_SYSCTL_ON=y - -CONFIG_GRKERNSEC_FLOODTIME=10 -CONFIG_GRKERNSEC_FLOODBURST=4 -CONFIG_PAX=y - -CONFIG_PAX_SOFTMODE=y -CONFIG_PAX_EI_PAX=y -CONFIG_PAX_PT_PAX_FLAGS=y -CONFIG_PAX_HAVE_ACL_FLAGS=y - -CONFIG_PAX_NOEXEC=y -CONFIG_PAX_PAGEEXEC=y -CONFIG_PAX_EMUTRAMP=y -CONFIG_PAX_MPROTECT=y -CONFIG_PAX_ELFRELOCS=y - -CONFIG_PAX_ASLR=y -CONFIG_PAX_RANDUSTACK=y -CONFIG_PAX_RANDMMAP=y -CONFIG_PAX_MEMORY_SANITIZE=y -CONFIG_PAX_REFCOUNT=y -CONFIG_PAX_USERCOPY=y
This one works, too. I am starting to think grsec is missing to select some options. # diff ../config-2.6.37-hardened-r3_ALT .config -ur | grep -e "^[+-]" | grep -v "^.#" --- ../config-2.6.37-hardened-r3_ALT 2011-02-22 20:51:17.000000000 +0100 +++ .config 2011-02-23 12:03:52.000000000 +0100 +CONFIG_AUDIT=y +CONFIG_AUDITSYSCALL=y +CONFIG_AUDIT_WATCH=y +CONFIG_AUDIT_TREE=y +CONFIG_SPARSE_IRQ=y +CONFIG_CGROUPS=y +CONFIG_CGROUP_NS=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CPUSETS=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_RESOURCE_COUNTERS=y +CONFIG_CGROUP_MEM_RES_CTLR=y +CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y +CONFIG_CGROUP_MEM_RES_CTLR_SWAP_ENABLED=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_BLK_CGROUP=y +CONFIG_UTS_NS=y +CONFIG_IPC_NS=y +CONFIG_PID_NS=y +CONFIG_NET_NS=y +CONFIG_MM_OWNER=y -CONFIG_MODVERSIONS=y -CONFIG_MODULE_SRCVERSION_ALL=y +CONFIG_MODULE_UNLOAD=y +CONFIG_FREEZER=y +CONFIG_X86_EXTENDED_PLATFORM=y -CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_INTERNODE_CACHE_SHIFT=7 -CONFIG_SCHED_SMT=y +CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y -CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_NUMA=y +CONFIG_X86_64_ACPI_NUMA=y +CONFIG_NODES_SPAN_OTHER_NODES=y +CONFIG_NODES_SHIFT=6 +CONFIG_NEED_MULTIPLE_NODES=y +CONFIG_MIGRATION=y +CONFIG_RELOCATABLE=y +CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID=y +CONFIG_USE_PERCPU_NUMA_NODE_ID=y +CONFIG_ACPI_NUMA=y +CONFIG_INTEL_IDLE=y +CONFIG_I7300_IDLE_IOAT_CHANNEL=y +CONFIG_I7300_IDLE=m -CONFIG_PROC_KCORE=y +CONFIG_GRKERNSEC_PROC_ADD=y -CONFIG_GRKERNSEC_ROFS=y +CONFIG_GRKERNSEC_AUDIT_MOUNT=y +CONFIG_GRKERNSEC_TIME=y I'll think I'll leave it as is unless someone asks me to test specific settings. It's a pain to reboot the box remotely each time. Setting the bug to worksforme for now.
Hi from your diffs I saw something I don't like: -CONFIG_MODVERSIONS=y -CONFIG_MODULE_SRCVERSION_ALL=y Mind making sure module versioning is disabled?
# zgrep VERSION /proc/config.gz CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set # CONFIG_MODVERSIONS is not set # CONFIG_MODULE_SRCVERSION_ALL is not set ... but I'm not sure (language barriers) wether that's what you wanted to know.
(In reply to comment #5) > # zgrep VERSION /proc/config.gz > > CONFIG_LOCALVERSION="" > # CONFIG_LOCALVERSION_AUTO is not set > # CONFIG_MODVERSIONS is not set > # CONFIG_MODULE_SRCVERSION_ALL is not set > > ... but I'm not sure (language barriers) wether that's what you wanted to know. > What I mean is that I think your problem is that module versioning (ie CONFIG_MODVERSIONS CONFIG_MODULE_SRCVERSION_ALL ) is enabled in your bad kernel config, thus you get all those problems with the kernel. So make sure your config looks like: [ ] Module versioning support [ ] Source checksum for all modules
So these options are unsupported with hardened-sources? ok Then maybe I relied too much on the kernel select/deselect logic. ;)
It is not that they aren't supported, but I think they are the cause of the trouble for the way they act. The first option is meant to load modules for other kernels which obviously you don't want as you can compile them with your sources. The second one adds an extra field to the modules which can be the other cause of the troubles as you may be loading modules without that field.
Well, I did understand the meaning of the settings and also made sure to have a clean build each time (backup of .config, make mrproper, rm /lib/modules/..., restore .config, make menuconfig, genkernel all...) So I'll keep those options disabled. Anything you want me to try? Keep in mind I'd preferable not reboot the server too often.
(In reply to comment #9) > Well, I did understand the meaning of the settings and also made sure to have a > clean build each time (backup of .config, make mrproper, rm /lib/modules/..., > restore .config, make menuconfig, genkernel all...) > So I'll keep those options disabled. Anything you want me to try? Keep in mind > I'd preferable not reboot the server too often. Maybe you could check the last modification times of the modules in /lib? it is done by ls -l make sure they are not before your building.
this is happening for me too. I'm unable to load kernel modules with hardened-sources-2.6.38*/hardened-sources-2.6.39*. kernel modules fail to load with the error "invalid module format". kern.log shows the errors: - overflow in relocation type 11 val ffffc90005983a50 - `vboxdrv' likely not compiled with -mcmodel=kernel this is running on a sandy bridge architecture laptop with gcc 4.5.2. i had to use the CFLAG -mno-avx to make xulrunner work, so that may/may not be an issue. gentoo-sources work fine though. relevant kernel config: CONFIG_MODULES=y # CONFIG_MODULE_FORCE_LOAD is not set # CONFIG_MODULE_UNLOAD is not set # CONFIG_MODVERSIONS is not set # CONFIG_MODULE_SRCVERSION_ALL is not set # # Security options # # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set # CONFIG_GRKERNSEC_HARDENED_SERVER is not set # CONFIG_GRKERNSEC_HARDENED_WORKSTATION is not set CONFIG_GRKERNSEC_HARDENED_VIRTUALIZATION=y # CONFIG_GRKERNSEC_CUSTOM is not set # # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set # # Role Based Access Control Options # # CONFIG_GRKERNSEC_NO_RBAC is not set # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USERGROUP=y CONFIG_GRKERNSEC_PROC_GID=10 # CONFIG_GRKERNSEC_PROC_ADD is not set CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set # CONFIG_GRKERNSEC_ROFS is not set CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_PTRACE is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y CONFIG_GRKERNSEC_RWXMAP_LOG=y # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_HARDEN_PTRACE=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_BLACKHOLE=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_ON=y # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # # PaX # CONFIG_TASK_SIZE_MAX_SHIFT=47 CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y # CONFIG_PAX_MPROTECT_COMPAT is not set # CONFIG_PAX_ELFRELOCS is not set # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y # CONFIG_PAX_RANDKSTACK is not set CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # # Miscellaneous hardening features # CONFIG_PAX_MEMORY_SANITIZE=y # CONFIG_PAX_MEMORY_STACKLEAK is not set CONFIG_PAX_REFCOUNT=y CONFIG_PAX_USERCOPY=y CONFIG_KEYS=y CONFIG_KEYS_DEBUG_PROC_KEYS=y # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y # CONFIG_SECURITYFS is not set CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set # CONFIG_SECURITY_PATH is not set # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_IMA is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_CRYPTO=y pruthvi ~ # emerge --info Portage 2.1.10.3 (hardened/linux/amd64, gcc-4.5.2, glibc-2.12.2-r0, 2.6.39-hardened-r4 x86_64) ================================================================= System uname: Linux-2.6.39-hardened-r4-x86_64-Intel-R-_Core-TM-_i7-2720QM_CPU_@_2.20GHz-with-gentoo-2.0.3 Timestamp of tree: Tue, 05 Jul 2011 01:30:01 +0000 app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.1-r1, 3.1.3-r1 dev-util/cmake: 2.8.4-r1 dev-util/pkgconfig: 0.25-r2 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.5.2 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.82 sys-kernel/linux-headers: 2.6.38 (virtual/os-headers) sys-libs/glibc: 2.12.2 Repositories: gentoo lcd-filtering xhub multimedia x-bumblebee x-portage ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -O2 -pipe -floop-interchange -floop-strip-mine -floop-block -fgraphite-identity -ftree-loop-distribution -ftree-loop-linear -ftree-vectorize" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -O2 -pipe -march=native -O2 -pipe -floop-interchange -floop-strip-mine -floop-block -fgraphite-identity -ftree-loop-distribution -ftree-loop-linear -ftree-vectorize" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://gentoo.cites.uiuc.edu/pub/gentoo/ http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-O1 -Wl,--sort-common -Wl,--warn-once,--hash-style=gnu -Wl,--as-needed" LINGUAS="en_GB en_US en hi_IN hi sa_IN ta_IN ta" MAKEOPTS="-j7" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/lcd-filtering /var/lib/layman/xhub /var/lib/layman/multimedia /var/lib/layman/bumblebee /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac aalib acl acpi alsa amd64 apache2 automount avahi bash-completion berkdb bluetooth bluray bonjour bzip2 cairo caps cdda cddb cdparanoia cdr cli consolekit cracklib crypt css cups curl curlwrappers cvs cxx dbus device-mapper dga dhcpcd dirac divx dri dts dvd dvdr dvdread emacs encode evdev exif expat extras faac faad fbcon ffmpeg flac fontconfig ftp fuse gconf gcrypt gd gdbm gdu geoip gif git gnome gnutls gopher gphoto2 gpm graphite gsm gstreamer gtk gzip hardened hddtemp iconv icu imap ipv6 java java6 javascript jpeg jpeg2k json justify kerberos laptop latex lcdfilter lcms ldap libnotify libsamplerate lm_sensors lzo mad matroska mbox mime mmap mmx mmxext mng modules mono mp3 mp4 mpeg mplayer msn mtp mudflap multilib mysql nas nautilus ncurses network networkmanager nls nntp nptl nptlonly nsplugin offensive ogg opengl openmp pam pango pcre pdf perl php png policykit posix pppd prelude pulseaudio python qt3support quicktime readline resolvconf ruby samba sasl scanner schroedinger sdl session smp soap speex spell sql sqlite sqlite3 sse sse2 sse3 ssl ssse3 startup-notification subversion svg sysfs taglib tcpd theora threads tiff tremor truetype udev unicode upnp urandom usb v4l2 vaapi vcd vim-syntax vnc vorbis webkit wext wifi wmf x264 xft xine xml xmp xorg xpm xsl xulrunner xv xvid xvmc xz yahoo zeroconf zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en_US en hi_IN hi sa_IN ta_IN ta" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #11) > this is happening for me too. I'm unable to load kernel modules with > hardened-sources-2.6.38*/hardened-sources-2.6.39*. > > kernel modules fail to load with the error "invalid module format". > kern.log shows the errors: > - overflow in relocation type 11 val ffffc90005983a50 > - `vboxdrv' likely not compiled with -mcmodel=kernel > I was never able to reproduce the original error. However, your error is probably do to the fact that you didn't emerge virtualbox-modules after an upgrade.
(In reply to comment #12) > (In reply to comment #11) > > this is happening for me too. I'm unable to load kernel modules with > > hardened-sources-2.6.38*/hardened-sources-2.6.39*. > > > > kernel modules fail to load with the error "invalid module format". > > kern.log shows the errors: > > - overflow in relocation type 11 val ffffc90005983a50 > > - `vboxdrv' likely not compiled with -mcmodel=kernel > > > > I was never able to reproduce the original error. However, your error is > probably do to the fact that you didn't emerge virtualbox-modules after an > upgrade. i did re-emerge virtualbox-modules. it is also happening with the kernel built module scsi_wait_scan and other modules like nvidia so it doesn't seem to be specific to virtualbox. i tried disabling grsec and PAX in the kernel config and that made no difference. i also tried with vanilla gcc with no effect so it doesn't seem to be a toolchain issue.
(In reply to comment #13) > (In reply to comment #12) > > (In reply to comment #11) > > > this is happening for me too. I'm unable to load kernel modules with > > > hardened-sources-2.6.38*/hardened-sources-2.6.39*. > > > > > > kernel modules fail to load with the error "invalid module format". > > > kern.log shows the errors: > > > - overflow in relocation type 11 val ffffc90005983a50 > > > - `vboxdrv' likely not compiled with -mcmodel=kernel > > > > > > > I was never able to reproduce the original error. However, your error is > > probably do to the fact that you didn't emerge virtualbox-modules after an > > upgrade. > > i did re-emerge virtualbox-modules. it is also happening with the kernel built > module scsi_wait_scan and other modules like nvidia so it doesn't seem to be > specific to virtualbox. i tried disabling grsec and PAX in the kernel config > and that made no difference. i also tried with vanilla gcc with no effect so it > doesn't seem to be a toolchain issue. Found the reason. the error goes away by changing # CONFIG_MODULE_UNLOAD is not set to CONFIG_MODULE_UNLOAD=y in the kernel config. Is module unloading functionality required by hardened?
Sorry for not answering for such a long time, this message got lost amongst Can you please test if it still happens against one of the new kernels? The issue looks quite serious for embedded systems.